| # TODO(fqj): go over files of cros_system_file, and to label exec only and rename with _exec suffix. |
| type cros_system_file, exec_type, file_type, cros_system_file_type, cros_file_type; |
| type cros_usr_dirs, file_type, cros_system_file_type, cros_file_type; |
| type cros_conf_file, file_type, cros_system_file_type, cros_file_type; |
| allow chromeos_domain cros_system_file_type:dir search; |
| |
| type cros_kernel_modules_ko_file, file_type, cros_file_type, cros_system_file_type; |
| type cros_kernel_modules_file, file_type, cros_file_type, cros_system_file_type; |
| |
| type chromeos_startup_script_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| |
| type cros_dev_image_files, file_type, cros_file_type, cros_uncategorized_file_type; |
| |
| type cros_seccomp_policy_file, file_type, cros_file_type, cros_system_file_type; |
| |
| type cros_accelerator_logs_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_anomaly_detector_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_apk_cache_cleaner_jailed_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_arc_oemcrypto_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_arc_setup_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_avahi_daemon_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_bluetoothd_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_bootstat_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_btdispatch_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_camera_algo_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_camera_service_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_chapsd_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_chromeos_cleanup_logs_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_chromeos_trim_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_chrt_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_conntrackd_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_cras_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_crash_reporter_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_crash_sender_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_cryptohomed_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_dbus_daemon_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_dbus_uuidgen_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_debugd_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_dhcpcd_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_disks_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_jetstream_update_stats_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_journald_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_logger_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_machine_id_regen_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_memd_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_metrics_client_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_metrics_daemon_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_midis_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_minijail_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_modem_manager_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_modprobe_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_mtpd_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_newblued_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_periodic_scheduler_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_permission_broker_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_powerd_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_restorecon_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_rsyslogd_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_session_manager_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_shill_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_sshd_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_sslh_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_tcsd_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_tlsdated_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_udevd_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_update_engine_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_userfeedback_file, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type cros_wpa_supplicant_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| |
| type cros_home, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_user, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_root, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_chronos, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow_uid, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow_low_entropy_creds, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow_uid_user, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow_uid_root, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow_uid_root_android, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow_uid_root_android_cache, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow_uid_root_authpolicyd, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow_uid_root_chaps, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow_uid_root_session_manager, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow_uid_root_shill, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow_uid_root_shill_logs, file_type, cros_file_type, cros_home_file_type; |
| type cros_home_shadow_uid_root_usb_bouncer, file_type, cros_file_type, cros_home_file_type; |
| |
| type system_data_file, file_type; # this is Android file label. |
| allow domain cros_home:dir r_dir_perms; |
| |
| type cros_coreutils_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| |
| type frecon_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type sh_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| type upstart_socket_bridge_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| |
| type chrome_browser_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| |
| type cros_unconfined_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| |
| type cros_init_activate_date_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type; |
| type cros_init_chapsd_shell_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type; |
| type cros_init_crx_import_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type; |
| type cros_init_lockbox_cache_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type; |
| type cros_init_powerd_pre_start_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type; |
| type cros_init_shell_scripts, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type; |
| type cros_init_shill_shell_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type; |
| type cros_init_sshd_pre_shell_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type; |
| type cros_init_start_bluetoothd_shell_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type; |
| type cros_init_start_bluetoothlog_shell_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type; |
| type cros_init_ui_pre_start_shell_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type; |
| type cros_init_ui_respawn_shell_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type; |
| |
| type cros_ionice_exec, exec_type, file_type, cros_file_type, cros_system_file_type; |
| |
| type cros_selinux_config_file, file_type, cros_file_type, cros_system_file_type; |
| |
| type cros_var, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_cache, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_log, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_spool, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_empty, file_type, cros_file_type, cros_var_file_type; |
| |
| # /var/cache |
| type cros_var_cache_shill, file_type, cros_file_type, cros_var_file_type; |
| |
| # var/lib |
| type cros_var_lib_bluetooth, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_chaps, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_crash_reporter, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_dbus, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_imageloader, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_oemcrypto, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_oobe_config_restore, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_power_manager, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_preload_network_drivers, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_shill, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_tpm, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_trim, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_ui, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_update_engine, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_ureadahead, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_lib_whitelist, file_type, cros_file_type, cros_var_file_type; |
| |
| # /var/log |
| type cros_arc_log, file_type, cros_log_type, cros_file_type, cros_var_file_type; |
| type cros_authpolicy_log, file_type, cros_log_type, cros_file_type, cros_var_file_type; |
| type cros_boot_log, file_type, cros_log_type, cros_file_type, cros_var_file_type; |
| type cros_hammerd_log, file_type, cros_log_type, cros_file_type, cros_var_file_type; |
| type cros_metrics_file, file_type, cros_file_type, cros_var_file_type; |
| type cros_metrics_uma_events_file, file_type, cros_file_type, cros_var_file_type; |
| type cros_net_log, file_type, cros_log_type, cros_file_type, cros_var_file_type; |
| type cros_powerd_log, file_type, cros_file_type, cros_var_file_type; |
| type cros_secure_log, file_type, cros_log_type, cros_file_type, cros_var_file_type; |
| type cros_syslog, file_type, cros_log_type, cros_file_type, cros_var_file_type; |
| type cros_tlsdate_log, file_type, cros_log_type, cros_file_type, cros_var_file_type; |
| type cros_var_log_chrome, file_type, cros_log_type, cros_file_type, cros_var_file_type; |
| type cros_var_log_eventlog, file_type, cros_log_type, cros_file_type, cros_var_file_type; |
| type cros_var_log_journal, file_type, cros_log_type, cros_file_type, cros_var_file_type; |
| |
| # /var/spool |
| type cros_crash_spool, file_type, cros_file_type, cros_var_file_type; |
| type cros_periodic_scheduler_cache_t, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_spool_power_manager, file_type, cros_file_type, cros_var_file_type; |
| |
| type arc_dir, file_type, cros_file_type, cros_run_file_type; # compatible to pre-work label names for /run/chrome. |
| type camera_socket, file_type, cros_file_type, cros_run_file_type; # compatible to existing Android names. |
| type cras_socket, file_type, cros_file_type, cros_run_file_type; # compatible to existing Android names. |
| type cros_run, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_avahi_daemon, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_containers, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_crash_reporter, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_dbus, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_frecon, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_ipsec, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_journal, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_lock, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_power_manager, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_session_manager, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_shill, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_systemd, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_tcsd, file_type, cros_file_type, cros_run_file_type; |
| type cros_run_udev, file_type, cros_file_type, cros_run_file_type; |
| |
| type cros_conntrackd_lock_file, file_type, cros_file_type, cros_tmpfile_type; |
| type cros_power_override_lock_file, file_type, cros_file_type, cros_tmpfile_type; |
| |
| type cros_passwd_file, file_type, cros_file_type, cros_uncategorized_file_type; |
| type cros_shadow_file, file_type, cros_file_type, cros_uncategorized_file_type; |
| type cros_tz_data_file, file_type, cros_file_type, cros_var_file_type; # It's cros_var_file_type because it can modified by user settings. |
| |
| r_dir_file(chromeos_domain, cros_tz_data_file) |
| |
| |
| allow fs_type self:filesystem associate; |
| allow file_type labeledfs:filesystem associate; |
| allow chromeos_domain tmpfs:dir { getattr read setattr }; |
| allow chromeos_domain tmpfs:dir create_dir_perms; |
| |
| # TODO(kroot,crbug.com/887859): remove this rule. |
| # This is most likely due to a lack of "cp -Z" or similar. |
| allow tmpfs labeledfs:filesystem associate; |
| auditallow tmpfs labeledfs:filesystem associate; |
| |
| allow file_type labeledfs:filesystem associate; |
| # TODO(fqj,crbug.com/874980): allow rootfs labeledfs:filesystem is a workaround |
| # before developer use process are confined. |
| allow rootfs labeledfs:filesystem associate; |
| auditallow rootfs labeledfs:filesystem associate; |
| allow file_type tmpfs:filesystem associate; |
| allow file_type rootfs:filesystem associate; |
| allow dev_type tmpfs:filesystem associate; |
| allow dev_type device:filesystem associate; |
| allow debugfs_type debugfs:filesystem associate; |
| allow debugfs_trace_marker debugfs_tracing:filesystem associate; |
| allow sysfs_type sysfs:filesystem associate; |
| allow devpts tmpfs:filesystem associate; # minijail --mountdev creates symlink in /dev(tmpfs)/ptmx in new root. |
| neverallow fs_type file_type:filesystem associate; |
| |
| type sysfs_class_devcoredump, sysfs_type; |
| type sysfs_net, sysfs_type; |
| |
| type wayland_socket, file_type, cros_file_type, cros_run_file_type; |
| type cros_system_bus_socket, file_type, cros_file_type, cros_run_file_type; |
| type cros_tcsd_socket, file_type, cros_file_type, cros_run_file_type; |
| |
| # TODO(fqj): temporarily let un-decomposed chromeos domain to write file as tmpfs. |
| type_transition {chromeos cros_arc_setup} cros_run:dir tmpfs; |
| |
| dontaudit rootfs {device sysfs}:filesystem associate; |
| |
| # /var files creation |
| filetrans_pattern_no_target_perm(chromeos_domain, cros_var, cros_var_lib, dir, "lib"); |
| filetrans_pattern_no_target_perm(chromeos_domain, cros_var, cros_var_cache, dir, "cache"); |
| filetrans_pattern_no_target_perm(chromeos_domain, cros_var, cros_var_empty, dir, "empty"); |
| filetrans_pattern_no_target_perm(chromeos_domain, cros_var, cros_var_log, dir, "log"); |
| filetrans_pattern_no_target_perm(chromeos_domain, cros_var, cros_var_spool, dir, "spool"); |
| |
| # CTS!! |
| # neverallow { domain -init -vold -vold_prepare_subdirs } vold_metadata_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr }; |
| # neverallow { domain -init -kernel -vendor_init -vold -vold_prepare_subdirs } { vold_data_file vold_metadata_file }:{ file lnk_file sock_file fifo_file } *; |
| # neverallow { domain -keystore } keystore_data_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr }; |
| # neverallow { domain -shell -installd } shell_data_file:lnk_file read; |
| # should restrict to chromeos link file only. |
| # allow chromeos_domain file_type:lnk_file { read getattr }; |
| |
| |
| neverallow domain cros_system_file_type:file { unlink append write }; |